CVE-2011-1015: CGI directory traversal

The is_cgi() method in CGIHTTPServer.py in the CGIHTTPServer module in Python 2.5, 2.6, and 3.0 allows remote attackers to read script source code via an HTTP GET request that lacks a / (slash) character at the beginning of the URI.

  • Disclosure date: 2008-03-07 (Python issue #2254 reported)

Fixed In

Python issue

Python CGIHTTPServer information disclosure.

  • Python issue: issue #2254
  • Creation date: 2008-03-07
  • Reporter: sumar

CVE-2011-1015

The is_cgi method in CGIHTTPServer.py in the CGIHTTPServer module in Python 2.5, 2.6, and 3.0 allows remote attackers to read script source code via an HTTP GET request that lacks a / (slash) character at the beginning of the URI.

Timeline

Timeline using the disclosure date 2008-03-07 as reference:

  • 2008-03-07: Python issue #2254 reported by sumar
  • 2009-04-06 (+395 days): commit 923ba36
  • 2010-07-03 (+848 days): Python 2.7.0 released
  • 2011-05-09 (+1158 days): CVE-2011-1015 published
  • 2013-04-07 (+1857 days): Python 3.2.4 released
  • 2013-04-07 (+1857 days): Python 3.3.1 released
  • 2014-03-16: Python 3.4.0 released